Echo Protocol Admin Key Breach Leads To $77M EBTC Mint On Monad

On May 19, 2026, Echo Protocol — a Bitcoin-focused DeFi platform operating on the Monad blockchain — suffered a significant security breach after an attacker gained access to a compromised admin key. The attacker used the DEFAULT_ADMIN_ROLE to grant themselves MINTER_ROLE privileges, then minted approximately 1,000 unauthorized eBTC tokens with a notional value of roughly $77 million. While the headline figure was alarming, security researchers later determined that the actual confirmed losses amounted to approximately $816,000, as the remaining minted tokens were ultimately recovered and burned. The attacker executed a carefully planned extraction sequence after minting the unauthorized eBTC. They deposited 45 eBTC, worth approximately $3.45 million, into the Curvance decentralized lending protocol as collateral. Against this collateral, the attacker borrowed 11.29 WBTC valued at approximately $867,700. The borrowed WBTC was then bridged from Monad to Ethereum, swapped for ETH, and approximately 384 ETH (worth ~$821,700) was funneled into Tornado Cash to obscure the trail. The remaining 955 eBTC stayed in wallets that Echo Protocol was ultimately able to recover. The root cause was not a smart contract vulnerability in the traditional sense but rather an operational and access-control failure in key management. Three critical security oversights enabled this exploit: a single admin key with no backup or multi-signature requirement, no timelock delay on sensitive admin functions such as role grants, and no cap on the amount of eBTC that could be minted in a single operation. The combination of these failures meant that one compromised key could grant unrestricted minting authority and immediately exercise it. Echo Protocol confirmed in a post-incident statement that it had regained control of the admin keys and burned the remaining 955 unauthorized eBTC. The team paused cross-chain functionality for its Monad deployment and completed contract upgrades to restrict affected operations and strengthen control over sensitive functions. As a precautionary measure, Echo also fully paused its Aptos bridge operations despite that deployment being unaffected. This incident underscores the importance of robust key management practices in DeFi protocols. Projects handling significant value should implement multi-signature admin controls, timelocked governance actions, and hard caps on sensitive operations such as token minting. Users should evaluate whether protocols they interact with have published their key management policies and whether admin functions are subject to timelocks or multi-party approval. The gap between the $77 million notional exposure and the $816,000 actual loss illustrates how rapid incident response can limit damage, but also how close this exploit came to being far more destructive.